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1 . INTRODUCTION 

In  1972,  while  at  the  University  of  Edinburgh,  we  began  work  on  a 
theorem  prover  for  primitive  recursive  functions  in  the  domain  of 
binary  trees  with  the  single  atom  NIL  at.  the  tips.  This  theorem  prover 
became  known  as  the  "Boyer-Moore  Pure  LISP  Theorem  Prover"  and 
could  prove  a wide  variety  of  simple  theorems  about  functions  in  the 
above  domain  [ 1 ] . 

In  the  four  years  since  we  began  work  on  that  theorem  prover  we  have 
catalogued  a large  number  of  inadequacies  in  its  theory, 
heuristics,  philosophy,  and  implementation  (as  well  as  an  equally 
large  number  of  good  ideas  in  each  of  those  departments).  During 
the  past  three  months  we  have  finally  begun  the  construction 
of  a new  theorem  prover  designed  to  remedy  the  inadequacies  of  the 
original  while  taking  advantage  of  the  good  ideas. 

From  the  outside,  the  most  radical  change  is  that  the  theory  with 
which  the  theorem  prover  deals  is  that  of  total  (but  not  necessarily 
primitive)  recursive  functions  in  a domain  of  axiomatically  specified 
finitely  constructable  objects.  The  theorem  prover  contains  built-in 
knowledge  about  IF-THEN-ELSE  (as  the  only  logical  connective), 

EQUAL  (standard  equality),  typed  n-tuples  (useful  in  the  introduction 
of  new  data  types),  and  recursion/induction.  All  aspects  of  the  theorem 
prover,  from  its  symbolic  evaluator  to  its  induction  mechanism, 
are  completely  controlled  by  axioms  and/or  proved  lemmas. 

The  new  theorem  prover  is  like  the  old  one  in  being  completely 
automatic  (subject  to  the  above  caveat  concerning  axioms  and  lemmas). 

It  also  shares  the  philosophy  that  one  should  simplify  a formula 
whenever  possible  and  be  able  to  invoke  induction  as  a last  resort. 

The  cross-ferti lizat ion  and  general ization  heuristics  have  been  kept. 


The  research  described  here  has  been  supported  by  the  Office  of  Naval 
Research  under  Contract  N000 1 75— C— 08 1 6,  the  National  Science 
Foundation  under  Grant.  DCR72-03737A01 , and  the  Air  Force  Office  of 
Scientific  Research  under  Contract  F44620-73-C-0068 . 


Many  new  ideas  have  been  introduced,  including: 

• A mechanism  for  introducing  new  data  types  (however, 
the  language  itself  is  still  untyped). 

. A very  fast  and  powerful  facility  for  determining  the  type 
of  an  exprescion  or  function. 

. A mechanism  for  introducing  new  axioms. 

. A very  powerful  lemma-driven  simplifier. 

. A new  induction  mechanism  which  uses  the  principle  of 
lexicographic  ordering  and  axioms  and/or  lemmas  about 
well-founded  partial  orders  to  produce  structural 
inductions  (in  the  general  sense  in  which  Burstall 
defined  it  [2]). 

. A mechanism  for  eliminating  many  irrelevant  details 
from  automatically  generated  sub-goals  (lemmas). 

. A "proof  monitor"  which  allows  the  use  of  previously  proved 
sub-goals  during  a proof,  and  which  can  inform  the  theorem 
prover  that  it  is  failing. 

Since  we  are  still  constructing  the  new  theorem  prover  and  daily  changing 
many  basic  ideas,  we  have  not  yet  documented  it. 

The  pew  theorem  prover  is  capable  of  proving  all  the  old  theorems  (when 
reformulated  in  the  new  theory)  and  is  currently  being  tested  on  new 
theorems  (indeed,  new  theories,  since  the  new  version  admits  the 
introduction  of  axioms). 

The  first  new  theorem  the  system  was  tried  on  was  the  correctness 
of  a simple  optimizing  compiler  for  expressions.  We  believe 
its  automatic  proof  of  this  result  augurs  well  for  its  future 
capabilities. 
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2.  AN  INFORMAL  DISCUSSION  OF  THE  THEORY 

Section  7 of  this  document  is  a machine-gererat.ed  listing  of  the 
axioms,  definitions,  and  lemmas  involved  in  the  proof  of  the 
correctness  of  our  optimizing  compiler.  This  Section  is  devoted 
to  an  informal  discussion  of  the  theory. 

The  theory  contains  six  types  of  objects:  TRUE,  FALSE,  non-negative 

integers  (constructed  from  0 with  ADD1),  literal  atoms  ("words") 
^constructed  with  PACK),  ordered  pairs  (constructed  with  CONS), 
and  push-down  stacks  (constructed  with  PUSH). 

The  axioms  in  Section  7 define  these  objects  formally,  specify 

the  equality  relations  between  them,  and  define  the  various  functions 

for  manipulating  them. 

It  should  be  noted  that  induction  on  objects  such  as  the  ordered 
pairs  is  permitted  by  virtue  of  axioms  such  as  the  one  named 
CDR-LESSP  in  Section  7.  That  axiom  states: 

(IF  (LISTP  X) 

(LESSP  (COUNT  (CDR  X))  (COUNT  X)) 

TRUE). 

Sirce  LESSP  is  known  to  be  a well-founded  ordering  this  axiom  permits 
an  induction  such  as: 

“(LISTP  X)  ->  (P  X) 

& 

(LISTP  X)  & (P  (CDR  X))  ->  (P  X) 

to  prove  (P  X)  for  all  X.  The  theorem  prover's  induction  mechanism  can 
chain  many  such  axioms  together  to  derive,  for  example,  that  when 
(LISTP  X)  and  (LISTP  (CDR  X))  then  (COUNT  (CDR  (CDR  X)))  is  less 
than  (COUNT  X),  thus  justifying  an  inductive  hypothesis  about 
(CDR  (CDR  X))  (under  appropriate  conditions). 

Proving  a lemma  such  as: 

(IF  (LESSP  I MAX) 

(LESSP  (DIFFERENCE  MAX  (ADD1  I))  (DIFFERENCE  MAX  I)) 

TRUE) 


informs  the  theorem  prover  that  it  is  sound  to  "induct  up"  by 
(possibly  nested)  ADDI's  to  some  maximum. 
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The  theorem  prover  also  knows  that  it  can  choose  to  instantiate 
free  variables  in  the  hypothesis  of  an  inductive  assumption, 
and,  indeed,  can  choose  several  such  instantiations.  This  fact 
is  used  in  the  compiler  proof. 

We  have  implemented  certain  cosmetic  functions  allowing  the 
convenient  expression  of  constants  in  the  theory.  For  example, 
INTERLISP  integers  appearing  in  input  to  the  theorem  prover  are 
translated  into  the  appropriate  ADD1  nests,  which  are  printed  back 
out  as  digits.  The  word  NIL  is  translated  into  (PACK  0)  which,  in 
turn,  is  printed  as  NIL.  Similarly,  any  word  preceded  by  (or 
embedded  in  a QUOTE  form)  in  the  input  is  translated  into  (PACK  n), 
where  n is  the  number  of  such  distinct  words  seen  so  far.  Thus, 

'PUSHI  is  translated  into  (PACK  1),  which,  in  turn,  is  printed  as 
' PUSHI . Finally,  INTERLISP  S-expreusiors  preceded  by  (or 
embedded  in  QUOTE  forms)  are  translated  into  the  appropriate  CONS 
terms,  e.«r.(  '(PLUS  1 X)  might  become: 

(CONS  (PACK  11)  (CONS  (ADD1  0)  (CONS  (PACK  5)  (PACK  0)))), 
(depending  only  upon  how  many  other  quoted  words  had  been  introduced). 
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3.  THE  FUNCTIONS  INVOLVED  IN  THE  PROOF 

Section  7 contains  the  formal  definitions  of  all  of  the  functions 
involved  in  the  proof  of  correctness  of  the  compiler.  In  this  Section 
we  will  briefly  describe  each  of  the  main  functions. 

The  recursive  predicate  FORMP  recognizes  S-expressions  representing 
expressions.  For  simplicity  we  only  consider  compiling  numerically 
valued  expressions  involving  numbers,  variables,  and  the  application 
of  binary  functions  to  (the  values  of)  two  sub-expressions.  We 
represent,  expressions  as  S-expressions  in  the  obvious  way.  A typical 
expression  is: 

(3+** ) * ( X * ( Y *6 ) ) 
and  is  represented  as: 

’(TIMES  (PLUS  3 4)  (TIMES  X (TIMES  Y 6))). 

The  function  EVAL  defines  the  value  of  a form  in  an  environment  which 
specifies  the  values  of  the  variables.  We  used  two  undefined 
functions,  GETVALUE  and  APPLY,  to  define  EVAL.  GETVALUE  takes  two 
arguments,  a variable  and  an  environment,  and  is  supposed  to  return 
the  value  of  the  variable  in  that  environment.  APPLY  takes  three 
arguments,  a function  name  and  two  argument  values,  and  is  supposed 
to  return  the  value  of  the  function  on  the  two  arguments.  Since  both 
EVAL  and  the  "hardware"  use  these  primitives,  their  definition  was 
not  necessary:  regardless  of  what  meaning  one  attaches  to  the  terms 
"value  of  X in  ENV"  and  "the  value  of  fn  on  x and  y,"  the  compiler 
must  produce  code  which  causes  the  hardware  to  produce  the  same 
result  EVAL  would. 

As  an  example  of  EVAL,  consider  defining  GETVALUE  as  ASSOC 
and  adding  the  axioms: 

(APPLY  'PLUS  XY)  : (PLUS  X Y), 


and 


(APPLY  'TIMES  XY)  : (TIMES  X Y), 

then: 

(EVAL  '(TIMES  (PLUS  3 *0  (TIMES  X (TIMES  Y 6))) 
'((X  . 2) (Y  . 5))) 

r 420. 
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The  function  OPTIMIZE  takes  a form  end  returns  another  form 

which  will  always  have  the  same  value  (as  computed  by  EVAL)  as  the  input 

form.  OPTIMIZE  works  by  optimizing  the  arguments  to  a function  call, 

and  then,  provided  both  arguments  have  been  optimized  to  integers, 

it  replaces  the  function  call  by  the  value  of  the  function  on  the 

two  integers.  That  is,  OPTIMIZE  just  performs  "constant  folding." 

The  code  generator,  CODEGEN,  takes  as  input  a form  to  be  compiled  and  an 
arbitrary  list  of  initial  instructions.  The  second  argument  is  used 
merely  as  an  accumulator  during  the  compilation.  As  output,  CODEGEN 
produces  a list  of  "machine  instructions"  which  should  be  executed  in 
REVERSE  order  on  a "hardware"  machine  with  a push-down  stack. 

For  example, 

(REVERSE  (CODEGEN  ’(TIMES  (PLUS  3 *0  (TIMES  X (TIMES  Y 6)))  NIL)) 

= ’((PUSHI  3) 

(PUSHI  H) 

PLUS 

(PUSHV  X; 

(PUSHV  Y) 

(PUSHI  6) 

TIMES 
TIMES 
TIMES ) . 

The  meanings  of  the  instructions  are:  (PUSHI  n) 

means  "push  n,"  (PUSHV  x)  means  "push  the  value  of  x in  the 
current  environment,"  and  anything  else  is  taken  as  a function 
name  and  means  "pop  two  things  off  the  stack  ana  push  the  value  of 
the  function  on  the  two  things  popped  off." 

The  compiler,  COMPILE,  first  optimizes  its  input  form  with  OPTIMIZE, 
then  calls  CODEGEN  with  the  optimized  form  and  the  initial  list  of 
instructions  NIL,  and  returns  the  REVERSE  of  the  output.  For  example, 

(COMPILE  '(TIMES  (PLUS  3 *0  (TIMES  X (TIMES  Y 6)))) 

= ((PUSHI  7) 

(PUSHV  X) 

(PUSHV  Y) 

(PUSHI  6) 

TIMES 

TIMES 

TIMES). 
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Finally,  the  function  EXEC  is  defined  as  the  "hardware."  This 
function  takes  a list  of  instructions,  a push-down  stack,  and  an 
environment  (specifying  variable  values)  and  interprets  the 
instructions  in  the  obvious  way.  When  it  has  exhausted  the 
list  of  instructions  it  returns  the  final  value  of  the 
push-down  stack. 

All  function  definitions  introduced  are  translated  according 
to  the  cosmetic  conventions  mentioned  above.  In  addition, 
a macro  facility  is  available  to  permit  the  input  syntax  to  vary 
radically  from  the  usual  LISP-like  notation  we  prefer.  This 
facility  is  used  to  make  the  definition  of  EXEC,  for  example, 
look  like  it  is  written  in  a dialect  of  assembly  language. 

Definitions  involving  PROG,  SETQ,  GO,  and  RETURN  are  translated 
into  recursive  definitions.  In  Section  7 we  present  both  the 
"pretty"  and  the  translated  (recursive)  definitions  of  all 
functions. 

The  reader  is  advised  to  turn  to  Section  7 and  study  the  definitions 
of  FORMP,  EVAL,  OPTIMIZE,  COGEGEN,  COMPILE,  and  EXEC  before  proceeding. 
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4.  AN  INFORMAL  DISCUSSION  OF  THE  THEOREMS  PROVED 

The  main  theorem  proved  is: 

(IMPLIES  (FORMP  X) 

(EQUAL  (EXEC  (COMPILE  X)  PDS  ENVRN ) 

(PUSH  (EVAL  X ENVRN)  PDS))). 

This  says  that,  when  X is  a form,  executing  the  output  of  the  (optimizing) 
compiler  merely  pushes  the  value  of  ( unopt.  imi  zed)  X onto  the  stack. 

Each  theorem  the  theorem  prover  proves  is  given  a name,  so 
tt  t it  can  be  referenced  as  a lemma  in  later  proofs.  We  have 
assigned  the  name  "CORRECTNESS. OF. OPTIMIZING. COMPILER"  to  the  main 
result  above. 

This  theorem  is  proved  by  the  invocation  of  three  lemmas  which  were 
also  proved  by  the  theorem  prover  (but,  of  course,  posed  by  the  authors). 
These  lpmmas  and  their  names  are: 

CORRECTNESS . OF . CODEGEN : 

(IMPLIES  (FORMP  X) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 

CORRECTNESS . OF . OPTIMIZE : 

(IMPLIES  (FORMP  X) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))), 

and 

FORMP. OPTIMIZE: 

(IMPLIES  (FORMP  X) 

(FORMP  (OPTIMIZE  X))). 

Note  that  CORRECTNESS. OF. CODEGEN  states  that  CODEGEN  is  correct 
in  *he  sense  that  executing  the  reverse  of  (CODEGEN  X INS)  produces 
a stack  which  has  the  value  of  X on  the  top  and  the  stack  produced 
by  executing  the  reverse  of  INS  underneath.  This  is  just  the 
McCart.hy-Painter  theorem  (for  our  CODEGEN  and  EXEC).  The  theorem  prover 
reauires  the  following  lemma  in  order  to  prove  CORRECTNESS. OF. CODEGEN: 

SEQUENTIAL. EXECUTION: 

(EQUAL  (EXEC  (APPEND  X Y)  PDS  ENVRN) 

(EXEC  Y (EXEC  X PDS  ENVRN)  ENVRN)). 
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This  lemma  just  says  that  if  one  appends  two  sequences  of  instructions 
and  executes  the  result,  the  push-down  stack  is  the  same  obtained 
by  executing  the  second  sequence  on  the  stack  obtained  by  executing 
the  first.  Having  proved  this  lemma,  our  theorem  prcver  can  automatically 
prove  the  correctness  of  CODEGEN. 

CORRECTNESS. OF. OPTIMIZE  states  that  the  output  cf  OPTIMIZE 
always  has  the  same  value  (under  EVAL)  as  its  input. 

FORMP. OPTIMIZE  merely  states  that  OPTIMIZE  produces  a form  if  given 
one . 

It  is  clear  how  CORRECTNESS. OF. CODEGEN  and  CORRECTNESS.OF.CPTIMIZE 
contribute  to  the  proof  of  CORRECTNESS. OF . OPTIMIZING. COMPILER . 

Less  obvious  is  the  necessity  of  backwards  chaining  through 
FORMP. OPTIMIZE  to  relieve  the  hypothesis  of  CORRECTNESS. OF. CODEGEN. 

The  theorem  prover  proved  these  five  theorems  in  the  order 
FORMP. OPTIMIZE,  CORRECTNESS. OF . OPTIMIZE , SEQUENTIAL. EXECUTION, 

CORRECTNESS. OF. CODEGEN,  and  CORRECTNESS. OF . OPTIMIZING. COMPILER . 

Except  for  the  definitions  of  the  functions  concerned  and  the 
statement  of  the  theorems  (in  the  order  given),  no  user  help 
was  reouired. 
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5.  A NOTE  ON  THE  McCA FTHY- PA INTER  COMPILER  PROOF 

The  wel 1-krown  McCarthv-Pa inter  compiler  correctness  theorem  [5]  i? 
analogous  to  our  lemma  CORRECTNESS. OF . CODEGEN . Their  "hardware" 
differs  from  ours  in  that  temporary  results  are  stored  in  addressable 
registers  rather  than  a push-down  stack.  This  somewhat  complicates  the 
compiler,  since  it  must  know  in  what  address  it  left  which 
result.  However,  while  our  compiler  only  lays  down  pushes  and  pops, 
it  should  be  noted  that  the  proof  requires  arguing  that  every  pop  caused 
by  compiled  code  is  matched  by  a previous  push  (of  the  correct  result). 

As  explained  above,  while  the  proof  of  correctness  for  the  optimizing 
compiler  reauires  four  lemmas,  the  theorem  prover  only  needs  one  lemma 
to  establish  automat ioally  the  correctness  of  CODEGEN. 

The  McCarthy-Painter  proof  was  first  done  by  hand  in  1967. 

We  know  of  three  mechanically  checked  proofs  of  the  theorem. 

The  first  was  apparently  by  Diffie  [ ^ ] with  his  proof  checker  for  first 
order  predicate  calculus.  The  second  was  by  Milner  and  Weyhrauch  r6J 
with  their  LCF  proof  checker.  The  third  was  by  Cartwright  (3]  with 
his  interactive  verifier  for  TYPED  LISP.  Because  of  the  proof  checker 
orientation  of  these  systems  these  three  proofs  required  a fair 
amount  of  user  guidance.  We  are  aware  that  Milner  (now  at  the 
Computer  Science  Department  of  the  University  of  Edinburgh)  is  working 
on  a more  automatic  LCF  theorem  prover  and  we  believe  his  system  might 
now  be  capable  of  producing  this  proof. 

It  should  also  be  noted  that  we  first  proved  the  correctness  of  CODEGEN 
using  a function  called  LITEXEC,  which  is  similar  to  the  LIT  function 
employed  in  Purstall's  proof  [2].  We  then  had  the  theorem  prover  prove 
the  eouivalence  of  EXEC  and  LITEXEC.  Later  we  discovered  that,  with  the 
SEQUENTIAL. EXECUTION  lemma,  the  theorem  prover  could  prove  the  correctness 
of  CODEGEN  directly,  stated  as  it  is  here  presented. 
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6.  BUGS  DISCOVERED  BY  ATTEMPTED  PROOFS 

To  our  great  surprise  the  first  three  times  we  tried  to  prove  these 
theorems  the  theorem  prover  failed  in  such  a way  as  to  make 
obvious  three  honest  mistakes  in  our  implementation  of  the 
functions  concerned. 

The  first  bug  was  in  OPTIMIZE.  When  it  finds  a sub-expression, 
such  as  '(PLUS  3 ‘O  in  '(TIMES  (PLUS  3 “O  X),  it.  replaces  the 
sub-expression  by  the  value  of  applying  the  function  to  the  indicated 
constants.  Under  the  interpretation  of  APPLY  we  had  in  mind,  this 
would  yield,  in  the  above  case,  '(TIMES  7 X).  However,  originally 
we  did  not  explicitly  assume  that  our  expressions  were  numerically 
valued.  Conseauently,  upon  trying  to  prove  the  correctness  of 
OPTIMIZE,  the  theorem  prover  failed  on  the  sub-goal: 

(IMPLIES  (AND  (NOT  (LISTP  Z))  (NOT  (NUMBERP  Z))) 

(EQUAL  (GETVALUE  Z ENVRN ) Z)). 

This  goal  arose  (after  generalizing  (APPLY  FN  I J)  to  Z)  from 
considering  the  possibility  that  OPTIMIZE  encountered  an 
optimizable  sub-expression,  such  as  (FN  I J)  where  I and  J were 
numbers,  and  such  that  (APPLY  FN  I J)  produced  a non-number, 
non-list  answer.  For  example,  if  the  application  of  FN  to  3 end  M 
produces  the  literal  atom  Y,  then  optimizing  (G  (FN  3 4)  X)  produces 
i (G  Y X).  Thus,  evaluating  the  optimized  form  would  apply  G to  the  values 

of  Y and  X,  while  evaluating  the  unoptimized  form  would  apply  G to 
the  literal  atom  Y and  the  value  of  X. 

We  remedied  the  situation  by  introducing  the  only  axiom  about  APPLY: 
(NUMBERP  (APPLY  FN  X Y)). 


The  second  bug  was  in  EXEC's  handling  of  function  calls.  When 
it  was  time  to  pop  the  stack  and  apply  a function,  EXEC  popped 
the  stack  into  AC1,  then  popped  the  next  thing  into  AC2,  and  then  pushed 
(APPLY  FN  AC1  AC2).  However,  upon  trying  to  prove  the  correctness 
of  CODEGEN,  the  theorem  prover,  after  a generalization,  stopped 
because  it  could  not  prove: 

(EQUAL  (APPLY  FN  AC  1 AC2)  (APPLY  FN  AC2  AC1 ) ) . 

That  is,  it  had  to  prove  that  all  the  functions  in  our  expressions 
were  commutative!  The  first  definition  of  EXEC  swapped  the  arguments  to 
functions  because  we  had  overlooked  the  fact  that  the  value  of  the 
first  argument  expression  is  pushed  first,  and  hence  is  the  second 
thing  on  the  stack  at  the  time  of  a function  call. 
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The  third  bug  we  discovered  was  in  FORMP.  Originally  we  believed 
that  it  did  not  matter  what  the  CAR  of  s form  was.  This  was 
because  APPLY,  being  undefined,  could  be  understood  to  make  some 
sense  out  of  any  possible  "function  name."  Therefore,  the  original 
definition  of  FORMP  did  not  have  the  (NLISTP  (CAR  X))  check. 

This  permitted  forms  with  non-atomic  function  names.  Upon  trying 
to  prove  the  correctness  of  CODEGEN  the  theorem  prover  stopped  on  the 
subgos 1 : 

(EQUAL  X (APPLY  (LIST  'PUSHI  X)  ARG1  ARG2) ) . 

This  goal  arises  by  considering  a form  such  as: 

’((PUSHI  X)  ARG1  ARG2) . 

The  compiled  code  is: 

' ( ( PUSHV  ARG1 ) (PUSHV  ARG2)  (PUSHI  X)), 

(since  function  names  are  laid  down  as  single  instructions  which 
supposedly  cause  EXEC  to  pop  the  stack  twice  and  push  the  result 
of  applying  the  function).  However,  if  the  CAR  of  the  form  can  be 
confused  with  a PUSHI  or  PUSHV  instruction,  EXEC  would  not 
call  APPLY  (as  EVAL  would)  but  merely  PUSH  the  indicated  value. 

Hence  the  above  sub-goal. 

It  is  interesting  to  note  that  all  three  of  these  bugs  escaped  our 
rudimentary  testing  of  the  functions.  In  particular,  we  had  confirmed, 
by  example,  that  all  the  functions  were  "correct,"  by  testing  them 
on  a variety  of  arithmetic  expressions.  Unfortunately,  all  of  our  test 
cases  were  with  numerically  valued  commutative  functions  with  atomic 
names,  such  as  TIMES  and  PLUS. 
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7.  THE  THEORY  BEHIND  THE  PROOF  OF  "CORRECTNESS . Or . OPTIMIZING . COMPILER" 

Below  we  give  the  axioms,  lemmas,  function  definitions  and  abbreviations 
used  in  the  proof  of  CORRECTNESS.OF.OPTIMIZING.COMPILER. 

The  expression  (IF  x y z)  means  "if  x is  not  (FALSE),  then  y,  else 
z."  The  expression  (EQUAL  x y)  means  "if  x is  y then  (TRUE),  else 
(FALSE)." 

The  axioms  about  TRUE,  FALSE,  0,  ADD1 , SUB  1 , and  NUMBERP  were  all 
typed  into  the  system  by  hand  and  are  part  of  the  standard  "loadup" 
for  the  theorem  prover. 

The  axioms  about  PACK,  CONS  and  PUSH  (and  their  accessors,  recognizers, 
and  default  values)  were  all  generated  automatical ly  by  a mechanism 
allowing  the  introduction  of  typed  n-tuples.  In  particular,  these 
axioms  were  generated  by  incanting: 

(ADD. SHELL  PACK 

(UNPACK) 

LITATOM 

(NIL)), 

(ADD. SHELL  CONS 

(CAR  CDR ) 

LISTP 

(NIL  NIL) 1 , 
and 

(ADD. SHELL  PUSH 

(TOP  POP) 

STACKP 
(1  NIL)) 

to  the  INTERLISP  system  running  the  theorem  prover. 

All  type-in  to  the  theorem  prover  is  translated  into  functional 
form.  QUOTE,  SETQ,  GO,  RETURN,  COND,  LIST,  PROG,  and  PROGN  are 
handled  specially.  Any  form  beginning  with  a macro  is  replaced 
by  the  result  of  evaluating  the  body  of  the  macro's  definition  in 
an  environment  in  which  the  macro  argument  is  bound  to  the  CDR  of 
the  form  and  the  variable  PROGBODY  is  bound  to  the  list  of  forms 
following  the  form. 

When  printing  out  formulas  we  employ  certain  abbreviations.  In 
the  following  read  (TRUE)  for  TRUE  and  T,  (FALSE)  for  FALSE,  ( ADD1  n) 
for  n+1  when  n is  a non-negative  integer,  (PACK  0)  for  NIL,  (PACK  1) 
for  (QUOTE  PUSHI)  and  (PACK  2)  for  (QUOTE  PUSHV). 

Section  9 is  a cross  reference  table  for  the  axioms  and  definitions 
below. 


ADD1  (Primitive) 


ADD1. EQUAL  (Axiom) 

(EQUAL  (EQUAL  (ADD1  X)  (ADD1  Y)) 

(IF  (NUMBERP  X) 

(IF  (NUMBERP  Y) 

(EQUAL  X Y) 

(EQUAL  X 0)) 

(IF  (NUMBERP  Y)  (EQUAL  Y 0)  TRUE))) 


ADD1 . NNUMBERP  (Axiom) 

(IF  (NUMBERP  X) 

TRUE 

(EQUAL  (ADD1  X)  1)) 


ADD1.SUB1  (Axiom) 

(EQUAL  (ADD1  (SUB  1 X)) 

(IF  (NUMBERP  X) 

(IF  (EOUAL  X 0)  1 X) 

D) 


ADD1.TYPE.NC  (Axiom) 

(AND  (EOUAL  (TYPE. NO  (ADD1  SUB1 ) ) 2) 

(AND  (EQUAL  (TYPE. NO  0)  2) 

(EQUAL  (NUMBERP  X) 

(EQUAL  (TYPE. NO  X)  2)))) 


AND  (Translated  definition) 

(LAMBDA  (P  0) 

(IF  P (IF  C TRUE  FALSE)  FALSE)) 


APPEND  (Definition) 

(LAMBDA  (H) 

(COND  ( (NLISTP  X)  Y) 

(T  (CONS  (CAR  X)  (APPEND  (CDF  X)  Y))))) 


(Translated  definition) 

(LAMBDA  (X  Y) 

(IF  (LISTP  X) 

(CONS  (CAR  X)  (APPEND  (CDR  X)  Y)) 
Y)) 


APPLY  (Primitive) 


ASSEMBLE  (INTERLISP  Macro) 

(X  (CONS  (QUOTE  PROG)  X) 

(Comment:  ASSEMBLE  is  just  another  name  for  PROG.)) 


CA IE  (INTERLISP  Macro) 

(X  (PR0G1  (LIST  (QUOTE  IF) 

(LIST  (QUOTE  EQUAL) 

(CAR  X) 

(KWOTE  (CADR  X))) 

FALSE 

(CAR  PROGBODY)) 

(SETQ  PROGBODY  (CDR  PROGBODY))) 

(Comment:  (CAIE  ac  val)  instrl  instr2  ... 
turns  into 

(IF  (EQUAL  ac  (QUOTE  val))  FALSE  instrl)  instr? 
i.e.,  it  skips  the  next  instruction  if  ac  is 
equal  to  (QUOTE  val))) 
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CAP  (Primitive) 


CAR. CONS  (Axiom) 

(EQUAL  (CAP  (CONS  CAR  CDR ) ) CAR) 


CAR. LESSP  (Axiom) 

(IF  (LISTP  X) 

(LESSP  (COUNT  (CAR  X))  (COUNT  X)) 
TRUE) 


CAR. NLISTP  (Axiom) 

(IF  (NOT  (LISTP  X)) 

(EQUAL  (CAR  X)  NIL) 
TRUE) 


CDR  (Primitive) 


CDR. CONS  (Axiom) 

(EQUAL  (CDR  (CONS  CAR  CDR))  CDR) 


CDR. LESSP  (Axiom) 

(IF  (LISTP  X) 

(LESSP  (COUNT  (CDR  X))  (COUNT  X)) 
TRUE) 


CDR. NLISTP  (Axiom) 

(IF  (NOT  (LISTP  X)) 

(EQUAL  (CDR  X)  NIL) 
TRUE) 


CODEGEN  (Definition) 

(LAMFDA  (FORM  INS) 

(COND  ( (NLISTP  FORM) 

(COND  (( NUMBER P FORM) 

(CONS  (LIST  (QUOTE  PUSHI)  FORM)  INS)) 

(T  (CONS  (LIST  (QUOTE  PUSHV)  FORM) 

INS)))) 

(T  (CONS  (CAR  FORM) 

(CODEGEN  (CADDR  FORM) 

(CODEGEN  (CADR  FORM)  INS)))))) 


(Translated  definition) 

(LAMBDA  (FORM  INS) 

(IF  (LISTP  FORM) 

(CONS  (CAR  FORM) 

(CODEGEN  (CAR  (CDR  (CDR  FORM))) 

(CODE GEN  (CAR  (CDR  FORM))  INS))) 
(IF  (NUMBER P FORM) 

(CONS  (CONS  (QUOTE  PUSHI)  (CONS  FORM  NIL)) 
INS) 

(CONS  (CONS  (QUOTE  PUSHV)  (CONS  FORM  NIL)) 
INS)))) 


COMPILE  (Definition) 

(LAMBDA  (FORM) 

(REVERSE  (CODEGEN  (OPTIMIZE  FORM)  NIL))) 

(Translated  definition) 

(LAMBDA  (FORM) 

(REVERSE  (CODEGEN  (OPTIMIZE  FORM)  NIL))) 


CONS  (Primitive) 


CONS. EQUAL  (Axiom) 

(EOUAL  (EQUAL  (CONS  CAR  CDR) 

(CONS  CAR’  CDR')) 
(AND  (EQUAL  CAR  CAR') 
(EQUAL  CDR  CDR'))) 


CONS.TYPE.NO  (Axiom) 

(AND  (EOUAL  (TYPE. NO  (CONS  CAR  CDR ) ) 4) 
(EQUAL  (LISTP  X) 

(EQUAL  (TYPE. NO  X)  4))) 


CORRECTNESS. OF. CODEGEN  (Theorem) 

(IMPLIES  (FORMP  X) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))) 


CORRECTNESS . OF . OPTIMIZE  (Theorem ) 

(IMPLIES  (FORMP  X) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 
(EVAL  X ENVRN))) 


CORRECTNESS. OF. OPTIMIZING. COMPILER  (Theorem) 
(IMPLIES  (FORMP  X) 

(EQUAL  (EXEC  (COMPILE  X)  PDS  ENVRN ) 
(PUSH  (EVAL  X ENVRN)  PDS))) 


COUNT  (Primitive) 


EQUAL  (Primitive) 


EVAL  (Definition) 

(LAMBDA  (FORM  ENVRN) 

(COND  ( (NLISTP  FORM) 

( CCND  ((NUMEERP  FORM)  FORM) 

(T  (GETVALUE  FORM  ENVRN)))) 

(T  (APPLY  (CAR  FORM) 

(EVAL  (CADR  FORM)  ENVRN) 

(EVAL  (CADDR  FORM)  ENVRN))))) 
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(Translated  definition) 

(LAMPDA  (FORM  ENVRN ) 

(IF  (LISTP  FORM) 

(APPLY  (CAR  FORM) 

(EVAi.  (CAR  (CDR  FORM))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  FORM)))  ENVRN)) 
(IF  (NUMPERP  FORM) 

FORM 

(GETVALUE  FORM  ENVRN)))) 


EXEC  (Definition) 

(LAMEDA  (PC  PDS  ENVRN) 

(ASSEMPLE  (INSTR  AC1  A.C2) 

LOOP  (SKIPTYPE  PC  LISTP) 

(*  skip  next  inetr  if  PC  is  a list) 
(RETURN  PDS)  (•  exit  with  current  PDS) 

(ILDI  INSTR  PC)  (•  fetch  next  instr  and  bump  pc) 
(SKIPTYPE  INSTR  NLISTP) 

(•  skip  if  INSTR  is  not  a list) 

(JUMP  DECODE)  (•  INSTR  is  a list,  go  decode  it) 

(POPARG  AC2  PDS)  (•  INSTR  represents  a fn  call.  Pop 

second  arg  into  AC2.) 

(POPARG  AC1  PDS)  (*  Pop  first  arg  into  AC1 ) 

(XCT  INSTR)  (•  execute  INSTR  on  A.C1  and  AC2  and 

put  result  in  AC1) 

(PUSHARG  AC  1 PDS)  (*  push  AC1 ) 

(JUMP  LOOP)  (*  go  fetch  next  instr) 

DECODE  (HLRZ  AC1  INSTR)  (•  INSTR  is  a LISTP  type  instr.  Fetch 

opcode  into  AC1) 

(HRRZ  A.C2  INSTR)  (*  fetch  operand  into  AC2) 

(CAIE  AC1  PUSHI)  (•  Skip  next  instr  if  opcode  is  PUSHI) 

(LOADS  AC2  AC2)  (•  Clobber  AC 2 with  the  value  of  AC2) 

(PUSHARG  AC2  PDS)  (•  Push  AC 2 — will  be  either  operand 

or  value  of  operand) 

(JUMP  LOOP)  (*  go  fetch  next  instr))) 


f 


(Trereleted  definition) 

(LAMBDA  (PC  PDS  ENVRN ) 

(IF  (LISTP  PC) 

(IF  (LISTP  (CAR  PC)) 

(IF  (EQUAL  (CAR  (CAR  PC))  (QUOTE  PUSHI)) 

(EXEC  (CDR  PC) 

(PUSH  (CAR  (CDR  (CAR  PC)))  PDS) 

ENVRN) 

(EXEC  (CDR  PC) 

(PUSH  (GETVALUE  (CAR  (CDR  (CAR  PC)))  ENVRN) 
PDS) 

ENVRN)) 

(EXEC  (CDR  PC) 

(PUSH  (APPLY  (CAR  PC) 

(TOP  (POP  PDS)) 

(TOP  PDS)) 

(POP  (POP  PDS))) 

ENVRN)) 

PDS)) 


FALSE  (Primitive) 


FALSE.TYPE.NO  (Axiom) 

(EQUAL  (TYPE. NO  FALSE)  0) 


FORMP  (Definition) 

(LAMPDA  (X) 

(COND  ( (NLISTP  X)  T) 

((AND  (NLISTP  (CAP  X)) 

(AND  (LISTP  (CDR  X)) 

(LISTP  (CDDR  X)))) 
(AND  (FORMP  (CADR  X)) 

(FORMP  (CADDR  X)))) 

(T  FALSE))) 
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(Translated  definition) 


(LAMBDA  (X) 

(IF  (LISTP  X) 

(IF  (LISTP  (CAR  X)) 
FALSE 


(IF  (LISTP  (CDR  X)) 

(IF  (LISTP  (CDR  (CDR  X))) 

(IF  ( FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X)))) 
FALSE) 

FALSE) 

FALSE)) 


TRUE)) 


FORMP. OPTIMIZE  (Theorem) 

(IMPLIES  (FORMP  X) 

(FORMP  (OPTIMIZE  X))) 


GETVALUE  (Primitive) 


HLRZ  (INTERLISP  Macro) 

(X  (SUBPAIR  (QUOTE  (AC  X)) 

X 

(QUOTE  (SETO  AC  (CAR  X)))) 
(Comment:  (HLRZ  AC  X) 
turns  into 
(SETQ  AC  (CAR  X)))) 


HRRZ  (INTERLISP  Macro) 

(X  (SUBPAIR  (QUOTE  (AC  X)) 

X 

(QUOTE  (SETQ  AC  (CADR  X)))) 
(Comment.:  (HRRZ  AC  X) 
turn?  into 
(SFTQ  AC  (CADR  X)))) 


IF  (Primitive) 
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ILDI  (INTERLISP  Macro) 

(X  (SUBPAIR  (OUOTE  (INS  PC)) 

X 

(OUOTE  (PROGN  (SETO  INS  (CAR  PC)) 

(SETO  PC  (CDR  PC))))) 

(Comment:  (ILDI  INS  PC) 
turns  Into 

(PROGN  (SETO  INS  (CAR  PC)) 

(SETO  PC  (CDR  PC))) 

i.e.,  it  fetches  the  next  instruction  into  INSTR  end 
bumps  the  PC  by  one.)) 


IMPLIES  (Translated  definition) 
(LAMBDA  (P  0) 

(IF  P (IF  Q TRUE  FALSE)  TRUE)) 


JUMP  (INTERLISP  Macro) 

(X  (CONS  (OUOTE  GO)  X) 

(Comment:  JUMP  is  another  name  for  GO.)) 


LESSP  (Translated  definition) 

(LAMBDA  (X  Y) 

(IF  (EOUAL  X 0) 

(IF  (EOUAL  Y 0)  FALSE  TRUE) 

(IF  (EOUAL  Y 0) 

FALSE 

(LESSP  (SUB  1 X)  (SUB1  Y ) ) ) ) ) 


LISTP  (Primitive) 


L1TATOM  (Primitive) 


( 


LOAD#  (INTERLISP  Macro) 

(X  (SUBPAIF  (QUOTE  (AC  VAF)) 

X 

(QUOTE  (SETQ  AC  (GETVALUE  VAF  ENVRN ) ) ) ) 
(Comment:  (LOAD#  ac  var) 
turn?  into 

(SETQ  ac  (GETVALUE  var  ENVFN)) 

i.e.,  it  loads  ac  with  the  value  of  var.)) 


NLISTP  (Definition) 

(LAMBDA  (X)  (NOT  (LISTP  X))) 


(Translated  definition) 

(LAMBDA  (X)  (IF  (LISTP  X)  FALSE  TFUE ) ) 


NOT  (Translated  definition) 

(LAMBDA  (P)  (IF  P FALSE  TFUE)) 


NUMPEFP  (Primitive) 


NUMBEFP. APPLY  (Axiom) 

(NUMBEFP  (APPLY  FN  X Y)) 


OPTIMIZE  (Definition) 

(LAMBDA  (FOFM) 

(PROG  (TEMPI  TEMP2) 

(COND  ((NLISTP  FORM)  (RETURN  FORM))) 

(SETQ  TEMPI  (OPTIMIZE  (CADR  FORM))) 

(SETQ  TEMP2  (OPTIMIZE  (CADDR  FORM))) 

(COND  ((AND  (NUMBERP  TEMPI)  (NUMBERP  TEMP2)) 

(RETURN  (APPLY  (CAR  FORM)  TEMPI  TEMP2 ) ) ) 

(T  (RETURN  (LIST  (CAR  FORM)  TEMPI  TEMP2) ) ) ) ) ) 
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(Trensleted  definition) 
(LAMEDA  (FORM) 


(IF  (LISTP  FORM) 

(IF  (NUMBERP  (OPTIMIZE  (CAR  (CDR  FORM)))) 

(IF  (NUMBERP  (OPTIMIZE  (CAR  (CDR  (CDR  FORM))))) 

(APPLY  (CAR  FORM) 

(OPTIMIZE  (CAR  (CDR  FORM))) 

(OPTIMIZE  (CAR  (CDR  (CDR  FORM))))) 

(CONS  (CAR  FORM) 

(CONS  (OPTIMIZE  (CAR  (CDR  FORM))) 

(CONS  (OPTIMIZE  (CAR  (CDR  (CDR  FORM)))) 
NIL)))) 

(CONS  (CAR  FORM) 

(CONS  (OPTIMIZE  (CAR  (CDR  FORM))) 

(CONS  (OPTIMIZE  (CAR  (CDR  (CDR  FORM)))) 
NIL)))) 

FORM ) ) 


OR  (Transleted  definition) 

(LAMBDA  (P  Q) 

(IF  P TRUE  (IF  Q TRUE  FALSE))) 


P (Primitive) 


PACK  (Primitive) 


PACK. EQUAL  (Axiom) 

(EQUAL  (EQUAL  (PACK  UNPACK)  (PACK  UNPACK')) 
(EQUAL  UNPACK  UNPACK')) 


PACK.TYPE.NO  (Axiom) 

(AND  (EQUAL  (TYPE. NO  (PACK  UNPACK))  3) 
(EQUAL  (LITATOM  X) 

(EQUAL  (TYPE. NO  X)  3))) 
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POP  (Primitive) 


POP . LESSP  (Axiom) 

(IF  (STACKP  X) 

(LESSP  (COUNT  (POP  X))  (COUNT  X)) 
TRUE) 


POP . NSTACKP  (Axiom) 

(IF  (NOT  (STACKP  X)) 
(EQUAL  (PCP  X)  NIL) 
TRUE) 


POP. PUSH  (Axiom) 

(EQUAL  (POP  (PUSH  TOP  POP))  POP) 


POPARG  (INTERLISP  Mecro) 

(X  (SUBPAIR  (QUOTE  (AC  STACK)) 

X 

(QUOTE  (PROGN  (SETQ  AC  (TOP  STACK)) 

(SETQ  STACK  (POP  STACK))))) 

(Comment:  (POPARG  AC  STACK) 
turns  into 

(PROGN  (SETQ  AC  (TOP  STACK)) 

(SETQ  STACK  (POP  STACK))) 

i.e.,  it  pops  the  top  of  STACK  into  AC  decrementing 
the  steck  pointer. ) ) 


PUSH  (Primitive) 


PUSH. EQUAL  (Axiom) 

(EQUAL  (EQUAL  (PUSH  TOP  POP) 

(PUSH  TOP'  POP')) 
(AND  (EQUAL  TOP  TOP') 
(EQUAL  POP  POP'))) 


PUSH.TYPE.NO  (Axiom) 

(AND  (EQUAL  (TYPE. NO  (PUSH  TOP  POP))  5) 
(EQUAL  (STACKP  X) 

(EQUAL  (TYPE. NO  X)  5))) 


PUSHARG  (INTEFLISP  Maero) 

(X  (SUBPAIR  (QUOTE  (AC  STACK)) 

X 

(QUOTE  (SETQ  STACK  (PUSH  AC  STACK)))) 
(Comment:  (PUSHARG  AC  STACK) 
turns  into 

(SETQ  STACK  (PUSH  AC  STACK)))) 


REVERSE  (Definition) 

(LAMBDA  (X) 

(COND  ( (NLISTP  X)  NIL) 

(T  (APPEND  (REVERSE  (CDF  X)) 
(LIST  (CAR  X)))))) 

(Translated  definition) 

(LAMBDA  (X) 

(IF  (LISTP  X) 

(APPEND  (REVERSE  (CDR  X)) 

(CONS  (CAR  X)  NIL)) 

NIL)) 


SEQUENTIAL. EXECUTION  (Theorem) 

(EQUAL  (EXEC  (APPEND  X Y)  PDS  ENVRN) 

(EXEC  Y (EXEC  X PDS  ENVRN)  ENVRN)) 


SKIPTYPE  (INTERLISP  Mscro) 

(X  (PR0G1  (LIST  (QUOTE  IF) 

(LIST  (CADR  X)  (CAR  X)) 

FALSE 

(CAR  PROGBODY)) 

(SFTQ  PROGBODY  (CDR  PROGBODY))) 

(Comment:  (SKIPTYPE  x pred)  instrl  instr2  ... 
trsnslstes  into 

(IF  (pred  x)  FALSE  instrl ) instr2  ... 
That  is,  the  next  instruction  is  skipped 
if  (pred  x)  is  non-FALSE.)) 


STACKP  (Primitive) 


SUB!  (Primitive) 


SUB1.0  (Axiom) 

(EQUAL  (SUB  1 0)  C) 


SUB1.ADD1  (Axiom) 

(EQUAL  (SUB  1 (ADD1  X)) 

(IF  (NUMBERP  X)  X 0)) 


SUB1.ELIM  (Axiom) 

(IMPLIES  (AND  (IMPLIES  (NOT  (NUMBERP  X))  (P  X 0)) 

(AND  (P  0 0) 

(IMPLIES  (NUMBERP  (SUB  1 X)) 

(P  (ADD1  (SUB  1 X))  (SUB  1 X))))) 


(P  X (SUB  1 X))) 


SUB1.LESSP  (Axiom) 

(IF  (NUMBERP  X) 

(IF  (EQUAL  X 0) 

TRUE 

(LESSP  (COUNT  (SUB  1 X))  (COUNT  X))) 
TRUE) 


SUB  1 . NNUMBERP  (Axiom) 

(IF  (NUMBERP  X) 

TRUE 

(EQUAL  (SUP  1 X)  0)) 


TOP  (Primitive) 


TOP. LESSP  (Axiom) 

(IF  (STACKP  X) 

(LESSP  (COUNT  (TOP  X))  (COUNT  X)) 
TRUE) 


TOP.NSTACKP  (Axiom) 

(IF  (NOT  (STACKP  X)) 
(EQUAL  (TOP  X)  1) 
TRUE) 


TOP. PUSH  (Axiom) 

(EQUAL  (TOP  (PUSH  TOP  POP))  TOP) 


TRUE  (Primitive) 


TRUE.TYPE.NO  (Axiom) 

(EQUAL  (TYPE. NO  TRUE)  1) 
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UNPACK  (Primitive) 


UNPACK. LESSP  (Axiom) 

(IF  (LITATOM  X) 

(LESSP  (COUNT  (UNPACK  X))  (COUNT  X)) 
TRUE ) 


UNPACK. NLITA TOM  (Axiom) 

(IF  (NOT  (LITATOM  X)) 

(EQUAL  (UNPACK  X)  NIL) 
TRUE) 


UNPACK. PACK  (Axiom) 

(EQUAL  (UNPACK  (PACK  UNPACK))  UNPACK) 


XCT  (INTERLISP  Macro) 

(X  (SUBST  (CAR  X) 

(QUOTE  INS) 

(QUOTE  (SETQ  AC1  (APPLY  INS  AC1  AC2))) ) 

(Comment:  (XCT  INS) 
turns  into 

(SETQ  AC1  (APPLY  INS  AC1  AC2) ) 

i.e.,  it  sets  AC1  to  the  result  of  APPLYing  INS  to  AC1 
and  AC2. ) ) 
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8.  THE  PROOFS 

With  the  exception  of  this  pege,  this  Section  consists  entirely  of 
the  theorem  prover's  output  during  the  course  of  its  proofs  of  the  five 
theorems  cited  above.  The  only  user  interaction  was  in  introducing 
the  data  types  and  function  discussed  above,  end  in  commanding  the 
theorem  prover  to  prove  the  theorems  in  the  order  they  are  proved  below. 


PROOF  OF  THE  "FORMP. OPTIMIZE"  LEMMA 


The  conjecture  to  be  proved  is: 


(IMPLIES  (FORMP  X) 

(FORMP  (OPTIMIZE  X))) 


Simplification  produces: 

•i.  (IMPLIES  (FORMP  X) 

(FORMP  (OPTIMIZE  X))). 

Give  this  the  name  *1.  We'll  try  to  prove  it  by  induction. 

There  ere  2 plausible  inductions.  These  merge  into  one  likely  candidate 
induction.  Induct  on  X.  This  induction  is  justified  by  the  CAR.LESSP 
and  CDR.LESSP  inequalities. 


We  must  now  prove  the  following  7 goals: 

•l.i.  (IMPLIES  (AND  (NOT  (LISTP  (CDR  (CDR  X)))) 

(FORMP  X)) 

(FORMP  (OPTIMIZE  X))), 

•1 . ii  . (IMPLIES  (AND  (NOT  (LISTP  X))  (FORMP  X)) 

(FORMP  (OPTIMIZE  X))), 

•l.iii.  (IMPLIES  (AND  (NOT  (LISTP  (CDR  X)))  (FORMP  X)) 
(FORMP  (OPTIMIZE  X))), 

•l.iv.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(NOT  (FORMP  (CAR  (CDR  (CDR  X))))) 
(NOT  (FORMP  (CAR  (CDR  X)))) 

(FORMP  X)) 

(FORMP  (OPTIMIZE  X))), 


•I.v.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(FORMP  (OPTIMIZE  (CAR  (CDR  (CDR  X))))) 
(NOT  (FORMP  (CAR  (CDR  X)))) 

(FORMP  X)) 

(FORMP  (OPTIMIZE  X))), 

•l.vi.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(NOT  (FORMP  (CAR  (CDR  (CDR  X))))) 
(FORMP  (OPTIMIZE  (CAR  (CDR  X)))) 
(FORMP  X)) 

(FORMP  (OPTIMIZE  X))) 


and 

•l.vii.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(FORMP  (OPTIMIZE  (CAR  (CDR  (CDR  X))))) 
(FORMP  (OPTIMIZE  (CAR  (CDR  X)))) 

(FORMP  X)) 

(FORMP  (OPTIMIZE  X))). 


Simplification  produces:  TRUE. 

That  finishes  the  proof  of  *1. 


O.E.D. 

((SIMPLIFY  1)  (PUSH  1)  NEXT...  (INDUCT  2 111  (X))  (SIMPLIFY  0)  POP  I 
O.E.D.) 

Load  average  during  proof:  2. 923895 

Elapsed  time:  116.829  seconds 

CPU  time:  27.13*1  seconds 

CONSes  consumed:  10056 
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PROOF  OF  THE  "CORRECTNESS. OF. OPTIMIZE"  LEMMA 


The  conjecture  to  be  proved  is: 


(IMPLIES  (FORMP  X) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 
(EVAL  X ENVRN))) 


Simplification  produces: 

•i.  (IMPLIES  (FORMP  X) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))). 

Give  this  the  name  *1.  He'll  try  to  prove  it  by  induction. 

There  are  3 plausible  inductions.  These  merge  into  one  likely  candidate 
induction.  Induct  on  X.  This  induction  is  Justified  by  the  CAR.LESSP 
and  CDR.L£SSP  inequalities. 


He  must  now  prove  the  following  7 goals: 

•l.i.  (IMPLIES  (AND  (NOT  (LISTP  (CDR  (CDR  X)))) 

(FORMP  X)) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))), 

•l.ii.  (IMPLIES  (AND  (NOT  (LISTP  X))  (FORMP  X)) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))), 

•l.iii.  (IMPLIES  (AND  (NOT  (LISTP  (CDR  X)))  (FORMP  X)) 
(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))), 

•l.iv.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(NOT  (FORMP  (CAR  (CDR  (CDR  X))))) 
(NOT  (FORMP  (CAR  (CDR  X)))) 

(FORMP  X)) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))), 


•I.v.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 
ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 

(NOT  (FORMP  (CAR  (CDR  X)))) 

(FORMP  X)) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))), 

•l.vi.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(NOT  (FORMP  (CAR  (CDR  (CDR  X))))) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
(EVAL  (CAR  (CDR  X))  ENVRN)) 

(FORMP  X)) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))) 

and 

•l.vii.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 
ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 
(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
(EVAL  (CAR  (CDR  X))  ENVRN)) 

(FORMP  X)) 

(EQUAL  (EVAL  (OPTIMIZE  X)  ENVRN) 

(EVAL  X ENVRN))). 


Simplification  produces  the  following  3 goals: 

•l.viii.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 
ENVRN ) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 
(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
(EVAL  (CAR  (CDR  X))  ENVRN)) 

(NOT  (LISTF  (CAR  X))) 

( FORMP  (CAR  (CDR  X))) 

( FORMP  (CAR  (CDR  (CDR  X)))) 

(NUMBERP  (OPTIMIZE  (CAR  (CDR  X)))) 

(NUMBERP  (OPTIMIZE  (CAR  (CDR  (CDR  X)))))) 

(EQUAL  (APPLY  (CAR  X) 

(OPTIMIZE  (CAR  (CDR  X))) 

(OPTIMIZE  (CAR  (CDR  (CDR  X))))) 

(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)))), 

•1 . ix . (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 
ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
(EVAL  (CAR  (CDR  X))  ENVRN)) 

(NOT  (LJSTP  (CAR  X))) 

(FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X)))) 

(NUMBERP  (OPTIMIZE  (CAR  (CDR  X)))) 

(NOT  (NUMBERP  (OPTIMIZE  (CAR  (CDR  (CDR  X))))))) 
(EQUAL  (APPLY  (CAR  X) 

(OPTIMIZE  (CAR  (CDR  X))) 

(EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 
ENVRN)) 

(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)))) 
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•1.x.  (IMPLIES  (AND  (LISTP  (CDR  (CDF  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 
ENVRN ) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
(EVAL  (CAR  (CDR  X))  ENVRN)) 

(NOT  (LISTP  (CAR  X))) 

(FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X)))) 

(NOT  (NUMBERP  (OPTIMIZE  (CAR  (CDR  X)))))) 
(EQUAL  (APPLY  (CAR  X) 

(EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
(EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 
ENVRN)) 

(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)))). 


Cross  fertilize 

(EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 

ENVRN) 

for 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 
ir  •l.viii,  and  throw  away  the  equality.  This  produces: 

•l.xi.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (OPTIMIZE  (CAR  (CDR  X))) 

(EVAL  (CAR  (CDR  X))  ENVRN)) 

(NOT  (LISTP  (CAR  X))) 

(FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X)))) 

(NUMBERP  (OPTIMIZE  (CAR  (CDR  X)))) 

(NUMBERP  (OPTIMIZE  (CAR  (CDR  (CDR  X)))))) 

(EQUAL  (APPLY  (CAR  X) 

(OPTIMIZE  (CAR  (CDR  X))) 

(OPTIMIZE  (CAR  (CDR  (CDR  X))))) 

(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 
(OPTIMIZE  (CAR  (CDR  (CDR  X))))))). 
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Cross  fertilize 

(OPTIMIZE  (CAR  (CDR  X))) 

for 

(EVAL  (CAR  (CDR  X))  ENVRN ) 

in  *1.xi,  end  throw  ewey  the  equality.  This  produces:  TRUE. 


Cross  fertilize 

P (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 
for 

(EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 

ENVRN) 

in  •l.ix,  end  throw  ewey  the  equality.  This  produces: 

•l.xii.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (OPTIMIZE  (CAR  (CDR  X))) 

(EVAL  (CAR  (CDR  X))  ENVRN)) 

(NOT  (LISTP  (CAR  X))) 

( FORMP  (CAR  (CDR  X))) 

( FORMP  (CAR  (CDR  (CDR  X)))) 

(NUMBERP  (OPTIMIZE  (CAR  (CDR  X)))) 

(NOT  (NUMBERP  (OPTIMIZE  (CAR  (CDR  (CDR  X))))))) 
(EQUAL  (APPLY  (CAR  X) 

(OPTIMIZE  (CAR  (CDR  X))) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 
(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)))). 


Cross  fertilize 

(OPTIMIZE  (CAR  (CDR  X))) 

for 

(EVAL  (CAR  (CDR  X))  ENVRN) 

in  •l.xii,  end  throw  away  the  equality.  This  produces:  TRUE. 


Cross  fertilize 

(EVAL  (CAP  (CDR  (CDR  X)))  ENVRN) 

for 

(EVAL  (OPTIMIZE  (CAR  (CDR  (CDR  X)))) 

ENVRN) 

in  •l.x,  and  throw  away  the  equality.  This  produces: 
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•l.xiii.  (IMPLIES  (AND  (LISTP  (CDR  (CDR  X))) 

(LISTP  X) 

(LISTP  (CDR  X)) 

(EQUAL  (EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN ) 
(EVAL  (CAR  (CDR  X))  ENVRN)) 

(NOT  (LISTP  (CAR  X))) 

( FORMP  (CAR  (CDR  X))) 

( FORMP  (CAR  (CDR  (CDR  X)))) 

(NOT  (NUMBERP  (OPTIMIZE  (CAR  (CDR  X)))))) 
(EQUAL  (APPLY  (CAP  X) 

(EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 
(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)))). 


Cross  fertilize 

(EVAL  (CAR  (CDR  X))  ENVRN) 

for 

(EVAL  (OPTIMIZE  (CAR  (CDR  X)))  ENVRN) 
in  *1.xiii,  end  throw  sway  the  eauelity.  This  produces:  TRUE. 

That,  finishes  the  proof  of  *1. 


Q.E. D. 

((SIMPLIFY  1)  (PUSH  1)  NEXT...  (INDUCT  3111  (X))  (SIMPLIFY  3)  ( 
CROSS. FERT  DELETE)  (CROSS. FERT  DELETE)  ( CROSS. FERT  DELETE)  ( CROSS. FERT 
DELETE)  (CROSS. FERT  DELETE)  (CROSS. FERT  DELETE)  POP!  Q.E.D.) 

Load  average  during  proof:  3.2268147 

Elapsed  tiire:  339.8*45  seconds 

CPU  time:  7*4.993  seconds 

CONSes  consumed:  35933 
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PROOF  OF  THE  "SEQUENTIAL. EXECUTION " LEMMA 

The  conjecture  to  be  proved  is: 

( EQUAL  (EXEC  (APPEND  X Y)  PDS  ENVRN ) 

(EXEC  Y (EXEC  X PDS  ENVRN)  ENVRN)) 


Simplification  produces: 

•i.  (EQUAL  (EXEC  (APPEND  X Y)  PDS  ENVRN) 

(EXEC  Y (EXEC  X PDS  ENVRN)  ENVRN)). 

Give  this  the  name  •I.  We'll  try  to  prove  it  by  induction. 

There  are  3 plausible  inductions.  These  merge  into  2 likely  candidate 
inductions.  However,  one  is  more  likely  than  the  other.  Induct 
on  X (instantiating  PDS).  This  induction  is  justified  by  the  CDR.LESSP 
inequality. 

We  must  now  prove  the  following  2 goals: 

•1 . i . (IMPLIES  (NOT  (LISTP  X)) 

(EQUAL  (EXEC  (APPEND  X Y)  PDS  ENVRN) 

(EXEC  Y (EVEC  X PDS  ENVRN)  ENVRN))) 


and 
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•l.ii.  (IMPLIES 
(AND 

(LISTP  X) 

(EQUAL  (EXEC  (APPEND  (CDR  X)  Y) 

(PUSH  (APPLY  (CAR  X) 

(TOP  (POP  PDS ) ) 

(TOP  PDS)) 

(POP  (POP  PDS))) 

ENVRN ) 

(EXEC  Y 

(EXEC  (CDR  X) 

(PUSH  (APPLY  (CAR  X) 

(TOP  (POP  PDS)) 

(TOP  PDS)) 

(POP  (POP  PDS))) 

ENVRN) 

ENVRN)) 

(EQUAL  (EXEC  (APPEND  (CDR  X)  Y) 

(PUSH  (CAR  (CDR  (CAR  X)))  PDS) 

ENVRN) 

(EXEC  Y 

(EXEC  (CDR  X) 

(PUSH  (CAR  (CDR  (CAR  X)))  PDS) 

ENVRN) 

ENVRN)) 

(EQUAL  (EXEC  (APPEND  (CDR  X)  Y) 

(PUSH  (GETVALUE  (CAR  (CDR  (CAR  X)))  ENVRN) 

PDS) 

ENVRN) 

(EXEC  Y 

(EXEC  (CDR  X) 

(PUSH  (GETVALUE  (CAR  (CDR  (CAR  X)))  ENVRN) 
PDS) 

ENVRN) 

ENVRN))) 

(EQUAL  (EXEC  (APPEND  X Y)  PDS  ENVRN) 

(EXEC  Y (EXEC  X PDS  ENVRN)  ENVRN))). 


Sitnpli fie? tion  produces:  TRUE. 

That  finishes  the  proof  of  •!. 


O.E.D. 

((SIMPLIFY  1)  (PUSH  1)  NEXT...  (INDUCT  3 2 1 1 (X  / PDS))  (SIMPLIFY 
0)  POP!  Q.E.D.) 

Load  average  during  proof:  3.023293 

Elapsed  time:  9*1.353  seconds 

CPU  time:  17.161  seconds 

CONSes  consumed : 9006 
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PROOF  OF  THE  "CORRECTNESS. OF. CODEGEN"  LEMMA 


The  conjecture  to  be  proved  is: 

(IMPLIES  (FORMP  X) 

(EQUAL.  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN ) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))) 


Simpli fication  produces: 

•i.  (IMPLIES  (FORMP  X) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))). 

Give  this  the  name  *1.  We'll  try  to  prove  it  by  induction. 

There  are  4 plausible  inductions.  These  merge  into  2 likely  candidate 
inductions.  However,  one  is  more  likely  than  the  other.  Induct 
on  X ( instantiating  INS).  This  induction  is  justified  by  the  CAR.LESSP 
end  CDR.LESSP  inequalities. 


We  must  now  prove  the  following  7 goals: 

•1 . i . (IMPLIES  (AND  (NOT  (LISTP  X))  (FORMP  X)) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 

• 1 . ii  . (IMPLIES  (AND  (NOT  (LISTP  (CDR  X)))  (FORMP  X)) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 
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•l.iii.  (IMPLIES  (AND  (NOT  (LISTP  ( CDR  (CDR  X)))) 

(FORMP  X)) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN ) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 


•l.lv.  (IMPLIES  (AND  (LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDR  (CDR  X))) 

(NOT  (FORMP  (CAR  (CDR  X)))) 

(NOT  (FORMP  (CAR  (CDR  (CDR  X))))) 

(FORMP  X)) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 


•l.v.  (IMPLIES  (AND  (LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDR  (CDR  X))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 
PDS  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 

(NOT  (FORMP  (CAR  (CDR  (CDR  X))))) 

(FORMP  X)) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 


•l.vi.  (IMPLIES 
(AND 

(LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDR  (CDR  X))) 

(NOT  (FORMP  (CAR  (CDR  X)))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN))) 

(FORMP  X)) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))) 
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pnd 


•l.vii. 


( IMPLIES 
(AND 

(LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDR  (CDR  X))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN ) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN))) 

(FORMP  X)) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  X INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))). 


Simplification  produces  the  following  7 goels: 

•l.viii.  (IMPLIES 

(AND  (NOT  (LISTP  X))  (NUMFERP  X)) 

(EQUAL  (EXEC  (APPEND  (REVERSE  INS) 

(CONS  (CONS  (QUOTE  PUSHI)  (CONS  X NIL)) 
NIL)) 

PDS  ENVRN) 

(PUSH  X 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 


•l.lx.  (IMPLIES 

(AND  (NOT  (LISTP  X)) 

(NOT  (NUMBERP  X))) 

(EQUAL  (EXEC  (APPEND  (REVERSE  INS) 

(CONS  (CONS  (QUOTE  PUSHV)  (CONS  X NIL)) 
NIL)) 

PDS  ENVRN) 

(PUSH  (GETVALUE  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 
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•1.x.  (IMPLIES 

(AND  (NOT  (LISTP  (CDR  X))) 

(NOT  (LISTP  X)) 

(NUMPERP  X)) 

(EQUAL  (EXEC  (APPEND  (REVERSE  INS) 

(CONS  (CONS  (QUOTE  PUSHI)  (CONS  X NIL)) 
NIL)) 

PDS  ENVRN ) 

(PUSH  X 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 

•l.xi.  (IMPLIES 

(AND  (NOT  (LISTP  (CDR  X))) 

(NOT  (LISTP  X)) 

(NOT  (NUMBERP  X))) 

(EQUAL  (EXEC  (APPEND  (REVERSE  INS) 

(CONS  (CONS  (QUOTE  PUSHV)  (CONS  X NIL)) 
NIL)) 

PDS  ENVRN) 

(PUSH  (GETVALUE  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 

•l.xii.  (IMPLIES 

(AND  (NOT  (LISTP  (CDR  (CDR  X)))) 

(NOT  (LISTP  X)) 

(NUMPERP  X)) 

(EQUAL  (EXEC  (APPEND  (REVERSE  INS) 

(CONS  (CONS  (QUOTE  PUSHI)  (CONS  X NIL)) 
NIL)) 

PDS  ENVRN) 

(PUSH  X 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))), 


•l.xi 11.  (IMPLIES 

(AND  (NOT  (LISTP  (CDR  (CDR  X)))) 

(NOT  (LISTP  X)) 

(NOT  (NUMBERP  X))) 

(EQUAL  (EXEC  (APPEND  (REVERSE  INS) 

(CONS  (CONS  (QUOTE  PUSHV)  (CONS  X NIL)) 
NIL)) 

PDS  ENVRN) 

(PUSH  (GETVALUE  X ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))) 

?pd 


i 
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•l.xiv.  (IMPLIES 
(AND 

(LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDR  (CDR  X))) 

(ECUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN ) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 


Apply  the 

Apply  the 

Apply  the 

Apply  the 

Apply  the 

Apply  the 

Apply  the 
fol lowing 


PDS  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN))) 

(NOT  (LISTP  (CAR  X))) 

( FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X))))) 

(EQUAL 

(EXEC  (APPEND  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 
(CONS  (CAR  X)  NIL)) 

PDS  ENVRN) 

(PUSH  (APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))). 

lemma  SEQUENTIAL. EXECUTION  to  •l.viii.  This  produces:  TRUE. 

1 enure  SEQUENTIAL. EXECUTION  to  «1.ix.  This  produces:  TRUE. 

lemma  SEQUENTIAL. EXECUTION  to  *1.x.  This  produces:  TRUE. 

lemme  SEQUENTIAL. EXECUTION  to  »1.xi.  This  produces:  TRUE. 

lemma  SEQUENTIAL. EXECUTION  to  «1.xii.  This  produces:  TRUE. 

lemma  SEQUENTIAL. EXECUTION  to  •l.xiii.  This  produces:  TRUE. 

lemma  SEQUENTIAL. EXECUTION  to  #1.xiv.  This  produces  the 
2 goals: 
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•l.xv.  (IMPLIES 
(AND 

(LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDR  (CDR  X))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN ) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN))) 

(NOT  (LISTP  (CAR  X))) 

(FORMP  (CAR  (CDR  X))) 

( FORMP  (CAR  (CDR  (CDR  X))))) 

(EQUAL 

(POP 

(POP  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN))) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 

and 
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•l.xvi.  (IMPLIES 
(AND 

(LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDF  (CDR  X))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN) 

(PUSH  (EVAL  (CAR  (CL'R  (CDR  X)))  ENVRN) 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN))) 

(NOT  (LISTP  (CAR  X))) 

(FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X))))) 

(EQUAL 
(APPLY 
(CAR  X) 

(TOP 

(POP  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN))) 

(TOP  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN))) 

(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)))). 


Massively  substitute 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)) 
for 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN) 

in  *1.xv,  and  throw  away  the  equality.  This  produces: 
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•l.xvii.  (IMPLIES 
(AND 

(LISTP  X) 

(LISTP  (CDF  X)) 

(LISTP  (CDR  (CDR  X))) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN ) 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))) 

(NOT  (LISTP  (CAR  X))) 

(FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X))))) 

(EQUAL 

(POP 

(POP  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN))) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))). 


Cross  fertilize 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 
for 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN) 

in  *1.xvii,  and  throw  away  the  equality.  This  produces:  TRUE. 


Massively  substitute 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)) 
for 

(EXEC  (RFVERSE  (CODEGEN  (CAR  (CDR  X))  INS)) 

PDS  ENVRN) 

in  B1.xvi,  and  throw  a way  the  equality.  This  produces: 
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•l.xviii.  (IMPLIES 
(AND 

(LISTP  X) 

(LISTP  (CDR  X)) 

(LISTP  (CDR  (CDR  X))) 

(EQUAL 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN ) 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN)))) 

(NOT  (LISTP  (CAR  X))) 

( FORMP  (CAR  (CDR  X))) 

(FORMP  (CAR  (CDR  (CDR  X))))) 

(EOUAL 
(APPLY 
(CAR  X) 

(TOP 

(POP 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN))) 

(TOP  (EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN))) 

(APPLY  (CAR  X) 

(EVAL  (CAR  (CDR  X))  ENVRN) 

(EVAL  (CAR  (CDR  (CDR  X)))  ENVRN)))). 


Cross  fertilize 

(PUSH  (EVAL  (CAR  (CDR  (CDR  X)))  ENVRN) 

(PUSH  (EVAL  (CAR  (CDR  X))  ENVRN) 

(EXEC  (REVERSE  INS)  PDS  ENVRN))) 

for 

(EXEC  (REVERSE  (CODEGEN  (CAR  (CDR  (CDR  X))) 

(CODEGEN  (CAR  (CDR  X))  INS))) 

PDS  ENVRN) 

in  #1.xviii,  end  throw  awey  the  equality.  This  produces:  TRUE. 


That  finishes  the  proof  of  *1. 


Q.F..D. 

((SIMPLIFY  1)  (PUSH  1)  NEXT...  (INDUCT  4 2 1 1 (X  / INS))  (SIMPLIFY 
7)  (LEMMA  SEQUENTIAL. EXECUTION)  (LEMMA  SEQUENTIAL. EXECUTION)  (LEMMA 
SEQUENTIAL. EXECUTION)  (LEMMA  SEQUENTIAL. EXECUTION ) (LEMMA 
SEQUENTIAL. EXECUTION)  (LEMMA  SEQUENTIAL. EXECUTION ) (LEMMA 
SEQUENTIAL. EXECUTION)  (MASS.SUBST  DELETE)  (CROSS. FERT  DELETE)  ( 
MASS.SUBST  DELETE)  (CROSS. FERT  DELETE)  POP!  Q.E.D.) 

Load  average  during  proof:  2.770582 

Elapsed  time:  330.668  seconds 

CPU  time:  106.12  seconds 

CONSes  consumed:  45178 


PROOF  OF  THE  "CORRECTNESS. OF. OPTIMIZING. COMPILER"  LEMMA 


The  conjecture  to  be  proved  is: 


(IMPLIES  (FCRMP  X) 

(EQUAL  (EXEC  (COMPILE  X)  PDS  ENVRN ) 
(PUSH  (EVAL  X ENVRN)  PDS))) 


Simplification  produces: 

*j . (IMPLIES  ( FORMP  X) 

(EQUAL  (EXEC  (REVERSE  (CODEGEN  (OPTIMIZE  X)  NIL)) 
PDS  ENVRN) 

(PUSH  (EVAL  X ENVRN)  PDS))). 

Apply  the  lemmas  FORMP. OPTIMIZE,  CORRECTNESS. OF. CODEGEN  and 
CORRECTNESS. OF. OPTIMIZE  to  *i.  This  produces:  TRUE. 


Q.E.D. 

((SIMPLIFY  1)  (LEMMA  FORMP. OPTIMIZE  CORRECTNESS. OF. CODEGEN 
CORRECTNESS. OF. OPTIMIZE ) Q.E.D.) 

Load  average  during  proof:  1.791236 

Elapsed  time:  9.757  seconds 

CPU  time:  11.208  seconds 

CONSes  consumed:  1118 
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9.  CROSS  REFERENCE  TABLE  FOR  SECTION  7 


Below  we  list,  for  each  symbol  defined  in  Section  7,  all  those 
definitions  which  reference  it. 

0 ADD1. EQUAL,  ADD1 .NNUMBERP,  ADD1.SUB1,  ADD1 . TYPE . NO , 

CAR . NLISTP,  CDR.NLISTP,  CODEGEN,  COMPILE, 
CONS.TYPE.NO,  EXEC,  FALSE . TYPE . NO , LESSP,  OPTIMIZE, 
PACK.TYPE.NO,  POP.NSTACKP,  PUSH.TYPE.NO,  REVERSE, 
SUB  1.0,  SUB  1 . ADD  1 , SUB1.ELIM,  SUB1. LESSP, 

SUB  1. NNUMBERP,  TOP.NSTACKP,  TRUE . TYPE . NO , 

UNPACK. NLITATOM. 


AC 
AC  1 
AC2 
ADD1 

AND 

APPEND 

APPLY 

ASSFMBLE 

CADDR 

CADR 

CAIE 

CAR 


HLRZ , HRRZ , LOAD0,  POPARG,  PUSHARG. 

EXEC,  XCT. 

EXEC,  XCT. 

ADD1. EQUAL,  ADD  1 . NNUMBERP , ADD1.SUB1,  ADD  1 . TYPE . NO , 
CODEGEN,  CONS.TYPE.NO,  EXEC,  PACK.TYPE.NO, 
PUSH.TYPE.NO,  SUB  1. ADD  1,  SUB1.ELIM,  TOP.NSTACKP, 
TRUE.TYPE.NO. 

ADD1.TYPE.N0,  CONS. EQUAL,  CONS.TYPE.NO,  FORMP , 
OPTIMIZE,  PACK.TYPE.NO,  PUSH. EQUAL,  PUSH.TYPE.NO, 
SUB1.ELIM. 

APPEND,  REVERSE,  SEQUENTIAL. EXECUTION. 

EVAL,  EXEC,  NUMBERP. APPLY,  OPTIMIZE,  XCT. 

EXEC. 

CCDEGEN , EVAL,  FORMP,  OPTIMIZE. 

CAIE,  CODEGEN,  EVAL,  FORMP,  HRRZ,  OPTIMIZE, 
SKIPTYPE. 

EXEC. 

APPEND,  CAIE,  CAR. CONS,  CAR. LESSP,  CAR. NLISTP, 
CDR.CONS,  CODEGEN,  CONS. EQUAL,  CONS.TYPE.NO,  EVAL, 
EXEC,  FORMP,  HLRZ,  ILDI,  OPTIMIZE,  REVERSE, 
SKIPTYPE,  XCT. 


CAR' 


CONS. EQUAL. 
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CDDR 

CDR 

CDR ' 

CODEGEN 

COMPILE 

COND 

CONS 

COUNT 

DECODE 

ENVRN 

EQUAL 


EVAL 

EXEC 

FALSE 

FN 


FORMP. 

APPEND,  CA IE , CAR. CONS,  CDR. CONS,  CDR.LESSP, 

CDR . NLISTP,  CODEGEN,  CONS. EQUAL,  CONS . TYPE . NO , 

EVAL,  EXEC,  FORMP,  ILDI,  OPTIMIZE,  REVERSE, 
SKIPTYPE. 

CONS. EQUAL. 

CODEGEN,  COMPILE,  CORRECTNESS . OF . CODEGEN . 

CORRECTNESS. OF . OPTIMIZING . COMPILER . 

APPEND,  CODEGEN,  EVAL,  FORMP,  OPTIMIZE,  REVERSE. 

APPEND,  ASSEMBLE,  CAR. CONS,  CDR. CONS,  CODEGEN, 

CONS. EQUAL,  CONS . TYPE . NO , JUMP,  OPTIMIZE,  REVERSE. 

CAR . LESSP , CDR.LESSP,  POP.LESSP,  SUB1.LESSP, 
TOP.LESSP,  UNPACK. LESSP. 

EXEC. 

CORRECTNESS . OF . CODEGEN , CORRECTNESS . OF . OPT1 M I ZE , 
CORRECTNESS. OF. OPTIMIZING. COMPILER,  EVAL,  EXEC, 
LOAD0,  SEQUENTIAL. EXECUTION. 

ADD  1. EQUAL,  ADD  1 . NNUMBERP , ADD1.SUB1,  ADD  1 . TYPE . NO , 
CAIE,  CAR. CONS,  CAR. NLISTP,  CDR. CONS,  CDR. NLISTP, 
CONS. EQUAL,  CONS . TYPE . NO , CORRECTNESS . OF. CODEGEN , 
CORRECTNESS . OF . OPTIMIZE , 

CORRECTNESS. OF. OPTIMIZING. COMPILER,  EXEC, 
FALSE.TYPE.NO,  LESSP,  PACK. EQUAL,  PACK . TYPE . NO , 

POP . NSTACKP , POP. PUSH,  PUSH. EQUAL,  PUSH . TYPE . NO , 
SEQUENTIAL. EXECUTION,  SUB1.0,  SUB1.ADD1, 

SUB  1. LESSP,  SUB  1 . NNUMPERP , TOP. NSTACKP,  TOP. PUSH, 
TRUE.TYPE.NO,  UNPACK. NLITATOM,  UNPACK. PACK. 

CORRECTNESS. OF. CODEGEN , CORRECTNESS. OF. OPTIMIZE , 
CORRECTNESS. OF. OPTIMIZING. COMPILER,  EVAL. 

CORRECTNESS . OF . CODEGEN , 

CORRECTNESS. OF. OPTIMIZING . COMPILER , EXEC , 
SEQUENTIAL. EXECUTION. 

AND,  CAIE,  FALSE.TYPE.NO,  FORMP,  IMPLIES,  LESSP, 
NLISTP,  NOT,  OR,  SKIPTYPE. 

NUMBERP. APPLY. 
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FORM 

CODEGEN,  COMPILE,  EVAL,  OPTIMIZE. 

FOFMP 

CORRECTNESS. OF. CODEGEN,  CORRECTNESS. OF . OPTIMIZE , 
CORRECTNESS. OF. OPTIMIZING. COMPILER , FORMP, 

FORMP. OPTIMIZE. 

GETVALUE 

EVAL,  EXEC,  LOADP. 

GO 

JUMP. 

HLRZ 

EXEC. 

HRRZ 

EXEC. 

IF 

ADD1. EQUAL,  ADD1 . NNUMBERP,  ADD1.SUB1,  AND,  APPEND, 
CAIE,  CAR. LESSP,  CAR.NLISTP,  CDR. LESSP,  CDR.NLISTP, 
CODEGEN,  EVAL,  EXEC,  FORMP,  IMPLIES,  LESSP,  NLISTP, 
NOT,  OPTIMIZE,  OR,  POP. LESSP,  POP.NSTACKP,  REVERSE, 
SKIPTYPE,  SUB1.ADD1,  SUB1. LESSP,  SUB  1 . NNUMBERP, 

TOP. LESSP,  TOP.NSTACKP,  UNPACK . LESSP , 

UNPACK. NLITATOM. 

ILDI 

EXEC. 

IMPLIES 

CORRECTNESS. OF. CODEGEN,  CORRECTNESS. OF. OPTIMIZE , 
CORRECTNESS. OF. OPTIMIZING. COMPILER,  FORMP. OPTIMIZE, 
SUB1.ELIM. 

INS 

CODEGEN,  CORRECTNESS. OF. CODEGEN,  ILDI,  XCT. 

INSTR 

EXEC. 

JUMP 

EXEC. 

KWOTE 

CAIE. 

LAMBDA 

AND,  APPEND,  CODEGEN,  COMPILE,  EVAL,  EXEC,  FORMP, 
IMPLIES,  LESSP,  NLISTP,  NOT,  OPTIMIZE,  OR,  REVERSE. 

LESSP 

CAR  . L.ESSP,  CDR.  LESSP,  LESSP,  POP.  LESSP,  SUB  1.  LESSP, 
TOP. LESSP,  UNPACK. LESSP. 

LIST 

CAIE,  CODEGEN,  OPTIMIZE,  REVERSE,  SKIPTYPE. 

LISTP 

APPEND,  CAR. LESSP,  CAR.NLISTP,  CDR. LESSP, 
CDR.NLISTP,  CODEGEN,  CONS . TYPE . NO , EVAL,  EXEC, 
FORMP,  NLISTP,  OPTIMIZE,  REVERSE. 

LITATOM 

PACK.TYPE.NO,  UNPACK. LESSP,  UNPACK. NLITATOM. 

LOAD? 


LOOP 

NIL 

NLISTP 

NOT 

NUMBERP 

OPTIMIZE 

P 

PACK 

PC 

PDS 

POP 

POP' 

POPARG 

PROG 

PROG1 

PROGBODY 

PROGN 

PUSH 


EXEC. 

EXEC. 

COMPILE,  REVERSE. 

APPEND,  CODEGEN,  EVAL,  EXEC,  FORMP,  OPTIMIZE, 
REVERSE. 

CAR. NLISTP,  CDR. NLISTP,  NLISTP,  POP.NSTACKP, 
SUB1.ELIM,  TOP. NSTACKP , UNPACK. NLITA TOM. 

ADD1. EQUAL,  ADD  1 . NNUMEERP , ADD1.SUB1,  ADD  1 .TYPE . NO 
CODEGEN,  EVAL,  NUMBERP. APPLY,  OPTIMIZE,  SUB1.ADD1, 
SUB1.ELIM,  SUB  1 . LESSP,  SUE  1 . NNUMBERP. 

COMPILE,  CORRECTNESS. OF. OPTIMIZE,  FORMP. OPTIMIZE, 
OPTIMIZF . 

AND,  IMPLIES,  NOT,  OR,  SUB1.ELIM. 

CAR. NLISTP,  CDR. NLISTP,  CODEGEN,  COMPILE,  EXEC, 
OPTIMIZE,  PACK. EQUAL,  PACK. TYPE . NO , POP.NSTACKP, 
REVERSE,  UNPACK. NLITATOM,  UNPACK. PACK. 

EXEC,  ILDI . 

CORRECTNESS . OF . CODEGEN , 

CORRECTNESS . OF . OPTIMIZING . COMPILER , EXEC , 
SEQUENTIAL. EXECUTION. 

EXEC,  POP. LESSP,  POP.NSTACKP,  POP. PUSH,  POPARG, 
PUSH. EQUAL,  PUSH.TYPE.NO,  TOP. PUSH. 

PUSH. EQUAL. 

EXEC. 

ASSEMBLE,  OPTIMIZE. 

CAIE , SKIPTYPE. 

CAIE,  SKIPTYPE. 

ILDI,  POPARG. 

CORRECTNESS . OF . CODEGEN , 

CORRECTNESS. OF. OPTIMIZ INC. COMPILER , EXEC,  POP. PUSH 
PUSH. EQUAL,  PUSH.TYPE.NO,  PUSHARG,  TOP. PUSH. 


PUSHARG 


EXEC. 


PUS  HI 
PUSHV 
0 

QUOTE 

RETURN 

REVERSE 

SETO 

SKIPTYPE 

STACK 

STACKP 

SUB  1 

SUBPAIR 

SUBST 

T 

TEMPI 

TEMP? 

TOP 

TOP' 

TRUE 


CODEGEN,  EXEC. 

CODEGEN . 

AND,  IMPLIES,  OR. 

ASSEMBLE,  CAIE,  CODEGEN,  HLRZ , HRRZ , ILDI,  JUMP, 
LOAD#,  POPARG,  PUSHARG,  SKIPTYPE,  XCT. 

EXEC,  OPTIMIZE. 

COMPILE,  CORRECTNESS. OF. CODEGEN,  REVERSE. 

CAIE,  HLRZ,  HRRZ,  ILDI,  LOAD#,  OPTIMIZE,  POPARG, 
PUSHARG,  SKIPTYPE,  XCT. 

EXEC. 

POPARG,  PUSHARG. 

POP. LESSP,  POP.NSTACKP,  PUSH . TYPE . NO , TOP.LESSP, 
TOP. NSTACKP . 

ADD1.SUB1,  ADD1.TYPE.NO,  LESSP,  SUB1.0,  SUB1.ADD1 
SUB1.ELIM,  SUB  1. LESSP,  SUB  1 . NNUMBERP. 

HLRZ,  HRRZ,  ILDI,  LOAD#,  POPARG,  PUSHARG. 

XCT. 

APPEND,  CODEGEN,  EVAL,  FORMP , OPTIMIZE,  REVERSE. 
OPTIMIZE. 

OPTIMIZE. 

EXEC,  POP. PUSH,  POPARG,  PUSH. EQUAL,  PUSH . TYPE . NO , 
TOP.LESSP,  TOP. NSTACKP,  TOP. PUSH. 

PUSH. EQUAL. 

ADD1. EQUAL,  ADD  1 . NNUMBERP , AND,  CAR. LESSP, 

CAR . NLISTP,  CDR. LESSP,  CDR.NLISTP,  FORMP,  IMPLIES 
LESSP,  NLISTP,  NOT,  OR,  POP. LESSP,  POP.NSTACKP, 
SUB  1. LESSP,  SUB  1. NNUMBERP,  TOP.LESSP,  TOP. NSTACKP 
TRUE.TYPE.NO,  UNPACK. LESSP,  UNPACK. NLITATOM. 
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TYPE. NO 

addi.type.no,  cong.type.no,  false.type.no, 
pack.type.no,  push.type.no,  true.type.no. 

UNPACK 

PACK. EQUAL,  PACK .TYPE . NO , UNPACK . LESSP , 
UNPACK. NLITATOM,  UNPACK. PACK. 

UNPACK' 

PACK. EQUAL. 

VAR 

LOAD#. 

X 

ADD1. EQUAL,  ADD1 .NNUMBERP,  ADD  1. SUB  1,  ADD  1 . TYPE . 
APPEND,  ASSEMBLE,  CAIE,  CAR. LESSP,  CAR.NLISTP, 
CDR. LESSP,  CDR.NLISTP,  CONS . TYPE . NO , 

CORRECTNESS . OF . CODEGEN , CORRECTNESS . OF . OPTIMIZE , 
CORRECTNESS . OF . OPTIMIZING . COMPILER , FORMP , 

FORMP. OPTIMIZE,  HLRZ , HRRZ,  ILDI , JUMP,  LESSP, 
LOAD#,  NLISTP , NUMPERP . A PPLY , PACK .TYPE . NO , 

POP. LESSP,  POP.NSTACKP,  POPARG,  PUSH . TYPE . NO , 
PUSHARG,  REVERSE,  SEQUENTIAL. EXECUTION , SKIPTYPE 
SUB1.ADD1,  SUB1.ELIM,  SUB1. LESSP,  SUB  1 . NNUMBERP , 
TOP. LESSP,  TOP . NSTTACKP , UNPACK . LESSP , 

UNPACK. NLITATOM,  XCT. 

XCT 

EXEC. 

Y 

ADD1. EQUAL,  APPEND,  LESSP,  NUMBERP . APPLY , 
SEQUENTIAL. EXECUTION. 
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